Multi WAN and ipv6

[wget]

Just re-installed the beta again, updated and installed the new dhcp6c and all is sweet. I did not even install the patches and its working.

Could you write down the exact steps you followed?

[marjohn56]

Download the beta image here https://pkg.opnsense.org/FreeBSD:12:amd64/snapshots/


Boot from the image and remember to import the config file when it asks you, log in as installer and install it.


Once rebooted carry out the steps for opnsense-code core and dhcp6c. that should get you up and running.


To be honest, I'd need to look at those patches to see what they were for, I think they were just improvements around dhcp6c and radvd. It should work without, mine does straight away.

[wget]

It should work without, mine does straight away.

Ok. I'll test this out with the link you provided to me first, without the patches.

1) Just to be sure. When exporting settings and reimporting them, is the private key of VPN exported as well? Otherwise I would be awful.

2) When testing out, are you using a VM with other connected to simulate 2 WAN, or are you using your real WAN at ZEN UK and adding another server upstream to generate a dummy WAN2? Just asking because I don't have a lab yet, and my OPNsense is kind of my prod right now =)

[marjohn56]

Everything is imported. Save your config to file as well, if you don't do that already, just in case.


I have two Qotoms and an APU, my primary Qotom get's a /48 and I'm splitting that, in this case  a /56 and a /60 to VLANs. My test Qotom then has two WAN ports, one on each of the VLANs. The LAN outputs of the test Qotom have one output to my PC, and the second goes on to the APU where its yet again fed into the WAN port and the two LANs off that.... cool eh?  8)

[marjohn56]

OK. went back to remind myself what those patches were for. They tidy up some dhcpdv6 and radvd stuff so add them.

[wget]

OK. went back to remind myself what those patches were for. They tidy up some dhcpdv6 and radvd stuff so add them.

As I have been trying out the previous process and debugging other issues, my 20.1 based installation what somewhat broken and I decided to reinstall everything from scratch. I was using the same install since a bunch of years now anyway and the reboot process was taking much more time than needed. So the 20.7 even in a dev variant was still a better bet:
https://forum.opnsense.org/index.php?topic=16545.msg79992#msg79992
And indeed it was. With a brand new install, the reboot process is so fast. ;)

However, exactly like my broken 20.1 build, my LAN is not receiving any IPv6 address any more. Like specified in my review of the 20.7 in the link just above, the LAN interface generates an IPv6 from the prefix delegation received from the WAN. However, the machines on the LAN are not seeing RA packets, so no IPv6 on the LAN :( Above all, the OPNsense router cannot even communicate to the outside in IPv6, a ping led either from the LAN or the WAN interface is timing out. The issue is not coming from the connection as a rapid test on a TPLink OpenWRT router is proving 20/20 on ipv6-test.com

[marjohn56]

So are you using manual override in the LAN interface for dhcpdv6?

[wget]

So are you using manual override in the LAN interface for dhcpdv6?

Nope. I'm not. Should I? cf. attachment.


As the IPv6 problem is quite huge, the purpose here is at least making it work with my main (cable modem) connection. I'm not to the point of using the second connection yet.

Please note, I haven't manually applied the radvd <-> dhcpv6 patches yet. I'm just using the 20.7 iso that I upgraded upsing the traditional update process, nothing more. :)

[marjohn56]

It should still fire up..


Did you do the opnsense-code dhcp6c etc?

[wget]

Did you do the opnsense-code dhcp6c etc?

Nope I haven't. I just did a fresh reinstall using the 20.7 iso, updated it using the GUI update process, imported my settings and nothing more :)

[wget]

On my side, I'm investigating the MSS (Maximum Segment Size) and the MTU. I think I have seen differences about this between OpenWRT and OPNsense. Might be the reason why IPv6 is going out but not further in the ISP network. May be the reason of RA issues I have on LAN as well.

[marjohn56]

Did you do the opnsense-code dhcp6c etc?

Nope I haven't. I just did a fresh reinstall using the 20.7 iso, updated it using the GUI update process, imported my settings and nothing more :)

Do so, because 20.7 relies on some new stuff in dhcp6c for prefixes.

[wget]

On my side, I'm investigating the MSS (Maximum Segment Size) and the MTU. I think I have seen differences about this between OpenWRT and OPNsense. Might be the reason why IPv6 is going out but not further in the ISP network. May be the reason of RA issues I have on LAN as well.

Ok it was the reason. It seems there has been some regression with the Intel I210 NIC FreeBSD driver with a dot release from 20.1.x and from 20.7. Indeed, I had to reset the MTU size to 1536 and force the overriding in the DHCP client otherwise this was not working. (cf. screenshot below).

Procedure of the test:

• Opening a split terminal side by side
• Run tcpdump -i igb1 -n host google.com -v -w tcpdump-google.com.pcap where igb1 is the WAN interface I wanted to checkout
• Run in the other terminal split window: curl -6 --interface 2a02:XXXX::XXXX -k -L google.com where 2a02:XXXX::XXXX is the IPv6 of the interface you want to check out
• Open Wireshark and see the field named MSS (Maximum Segment Size) in the TCP OPTIONS of the initial SYN fragment.
  (tested with a SYN packet)

Max MSS calculation:
1476 (max MSS IPv6): 1536 (MTU of Ethernet II) - 40 (IPv6 header) - 20 (TCP header)
1496 (max MSS IPv4): 1536 (MTU of Ethernet II) - 20 (IPv4 header) - 20 (TCP header)

OpenWRT:
MSS: 1440
MSS: 1460

OPNsense:
MSS: 516 in IPv6
MSS: 536 in IPv4

OPNsense after the MTU override:
MSS: 1440 in IPv6
MSS: 1496 in IPv4

Note: the MSS is determined by the TCP protocol during the handshake, so depending on the needed payload it may be less than the 1496 and 1476 we computed above, that's the reason the values are not exactly equal to 1496 and 1476, but are quite near.

[wget]

Do so, because 20.7 relies on some new stuff in dhcp6c for prefixes.

Now my IPv6 connection if fixed \o/, I'll enable the second WAN (xDSL baed) and will let you know whether the additional patches were needed or not =)

[wget]

Now my IPv6 connection if fixed \o/, I'll enable the second WAN (xDSL baed) and will let you know whether the additional patches were needed or not =)

Ok without the patches, the xDSL is working, but no IPv6. I need to go in assignment and reload the interface to get an IPv6.

Also, for a reason I don't know curling google via pppoe0 or igb2 in IPv4 is working while in IPv6 this isn't :/

Code Select Expand


root@portal:/home/wget # curl -6 --interface 2a02:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX -k -L google.com
curl: (28) Failed to connect to google.com port 80: Operation timed out


(that IP address is corresponding to the one on igb2)

and a TCP dump on that interface is not returning any thing (pcap empty).

Let me know if you have an idea before I try to apply the additional patches which will certainly break my whole OS again ;D